blackroad-os/backroad
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,026 Commits 534 Branches 194 Tags
b3d0ee6f53e1f004423569a729c08bc3a0733cb4
Commit Graph

13 Commits

Author SHA1 Message Date
Chaim Lev-Ari
a12a0b61dc feat(containers): enforce disable bind mounts (#4110) (#4467) 
* feat(containers): enforce disable bind mounts (#4110)

* feat(containers): enforce disable bind mounts

* refactor(docker): move check for endpoint admin to a function

* feat(docker): check if service has bind mounts

* feat(services): allow bind mounts for endpoint admin

* feat(container): enable bind mounts for endpoint admin

* fix(services): fix typo

* fix(docker): tag user as admin when auth is disabled
 2021-03-04 11:50:35 +01:00
Chaim Lev-Ari
06db4e0ad4 fix(auth): skip security checks with --no-auth flag (#4513) 
* fix(stacks): skip security checks if no-auth

* fix(containers): skip security check when auth is disabled

* fix(volumes): show browse if auth is disabled
 2021-01-18 09:31:23 +13:00
Chaim Lev-Ari
9f92e0aee3 feat(settings): introduce setting to disable container caps for non-admins (#4109) (#4510) 
* feat(settings): introduce settings to allow/disable

* feat(settings): update the setting

* feat(docker): prevent user from using caps if disabled

* refactor(stacks): revert file

* style(api): remove portainer ns
 2020-12-09 17:15:19 +13:00
Chaim Lev-Ari
5ebb03cb4e feat(settings): add setting to disable device mapping for regular users (#4017) 
* feat(settings): introduce device mapping service

* feat(containers): hide devices field when setting is on

* feat(containers): prevent passing of devices when not allowed

* feat(stacks): prevent non admin from device mapping

* feat(stacks): disallow swarm stack creation for user

* refactor(settings): replace disableDeviceMapping with allow

* fix(stacks): remove check for disable device mappings from swarm

* feat(settings): rename field to disable

* feat(settings): supply default value for disableDeviceMapping

* feat(container): check for endpoint admin
 2020-07-13 16:32:56 +12:00
Maxime Bajeux
0f58ece899 feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970) 
* feat(containers): Prevent non-admin users from running containers using the host namespace pid

* feat(containers): add rbac check for swarm stack too

* feat(containers): remove forgotten conflict

* feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action

* feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html

* feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers
 2020-07-08 09:48:34 +12:00
Maxime Bajeux
4c0d8ce732 feat(containers): Ensure users cannot create privileged containers via the API (#3969) 
* feat(containers): Ensure users cannot create privileged containers via the API

* feat(containers): add rbac check in stack creation
 2020-06-30 17:13:37 +12:00
Maxime Bajeux
ebac85b462 feat(volumes): add a switch to use CIFS volumes (#3823) 
* feat(volumes): add a switch to use CIFS volumes

* feat(volumes): switch between nfs and cifs

* feat(volumes): autofix sharepoint, hide driveroptions and allow to create unnammed volume

* feat(volumes): change cifs version select options

* feat(volumes): change few things
 2020-05-15 13:28:51 +12:00
Anthony Lapenna
29c0584454 fix(api): update restricted volume browsing operation logic (#3798) 
* fix(api): prevent a potential panic

* fix(api): update restricted volume browsing operation logic
 2020-05-12 16:08:01 +12:00
Maxime Bajeux
8046fb0438 fix(volumes): add unicity check on volumes (#3779) 
* fix(volumes): add unicity check on volumes

* fix(volumes): add header to volume creation request

* fix(volumes): change few things
 2020-05-09 09:40:49 +12:00
William
8bea0988dd fix(api): lower Docker client API version for backwards support (#3534) 2020-01-29 17:36:28 +13:00
William
17bc17f638 fix(api): fix an issue with ownership for services and stacks (#3512) 2020-01-21 08:09:30 +13:00
Anthony Lapenna
badb6ee50f fix(http): update volume browsing validation (#3416) 2019-12-03 10:42:55 +13:00
Anthony Lapenna
19d4db13be feat(api): rewrite access control management in Docker (#3337) 
* feat(api): decorate Docker resource creation response with resource control

* fix(api): fix a potential resource control conflict between stacks/volumes

* feat(api): generate a default private resource control instead of admin only

* fix(api): fix default RC value

* fix(api): update RC authorizations check to support admin only flag

* refactor(api): relocate access control related methods

* fix(api): fix a potential conflict when fetching RC from database

* refactor(api): refactor access control logic

* refactor(api): remove the concept of DecoratedStack

* feat(api): automatically remove RC when removing a Docker resource

* refactor(api): update filter resource methods documentation

* refactor(api): update proxy package structure

* refactor(api): renamed proxy/misc package

* feat(api): re-introduce ResourceControlDelete operation as admin restricted

* refactor(api): relocate default endpoint authorizations

* feat(api): migrate RBAC data

* feat(app): ResourceControl management refactor

* fix(api): fix access control issue on stack deletion and automatically delete RC

* fix(api): fix stack filtering

* fix(api): fix UpdateResourceControl operation checks

* refactor(api): introduce a NewTransport builder method

* refactor(api): inject endpoint in Docker transport

* refactor(api): introduce Docker client into Docker transport

* refactor(api): refactor http/proxy package

* feat(api): inspect a Docker resource labels during access control validation

* fix(api): only apply automatic resource control creation on success response

* fix(api): fix stack access control check

* fix(api): use StatusCreated instead of StatusOK for automatic resource control creation

* fix(app): resource control fixes

* fix(api): fix an issue preventing administrator to inspect a resource with a RC

* refactor(api): remove useless error return

* refactor(api): document DecorateStacks function

* fix(api): fix invalid resource control type for container deletion

* feat(api): support Docker system networks

* feat(api): update Swagger docs

* refactor(api): rename transport variable

* refactor(api): rename transport variable

* feat(networks): add system tag for system networks

* feat(api): add support for resource control labels

* feat(api): upgrade to DBVersion 22

* refactor(api): refactor access control management in Docker proxy

* refactor(api): re-implement docker proxy taskListOperation

* refactor(api): review parameters declaration

* refactor(api): remove extra blank line

* refactor(api): review method comments

* fix(api): fix invalid ServerAddress property and review method visibility

* feat(api): update error message

* feat(api): update restrictedVolumeBrowserOperation method

* refactor(api): refactor method parameters

* refactor(api): minor refactor

* refactor(api): change Azure transport visibility

* refactor(api): update struct documentation

* refactor(api): update struct documentation

* feat(api): review restrictedResourceOperation method

* refactor(api): remove unused authorization methods

* feat(api): apply RBAC when enabled on stack operations

* fix(api): fix invalid data migration procedure for DBVersion = 22

* fix(app): RC duplicate on private resource

* feat(api): change Docker API version logic for libcompose/client factory

* fix(api): update access denied error message to be Docker API compliant

* fix(api): update volume browsing authorizations data migration

* fix(api): fix an issue with access control in multi-node agent Swarm cluster
 2019-11-13 12:41:42 +13:00